Xeno, We take security issues very seriously. It is ASF policy that no one should publicly discuss security issues before a patch is available. In this case that policy was not followed by someone outside of the ASF who should know better.
Most people will read this CVE and conclude it is not as serious as it sounds. However, their may be users for whom this is a concern. Had we not created a CVE they would most likely not be aware of the issue. As with all security issues, you need to understand the problem and then determine for yourself how it impacts you. Ralph > On Dec 28, 2021, at 3:10 PM, Xeno Amess <[email protected]> wrote: > > sigh.. > so 2.17.1 IS a security fix now? > > XenoAmess > ________________________________ > From: Matt Sicker <[email protected]> > Sent: Wednesday, December 29, 2021 4:07:48 AM > To: [email protected] <[email protected]> > Subject: Re: CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC > Appender when attacker controls configuration > > There’s no specific commit yet, just branches. The commits are coming over > the next few hours as we cut the release candidates. > -- > Matt Sicker > >> On Dec 28, 2021, at 14:06, Jason Pyeron <[email protected]> wrote: >> >>> -----Original Message----- >>> From: Gary Gregory >>> Sent: Tuesday, December 28, 2021 3:02 PM >>> >> <snip/> >>> >>> 2.12.4 and 2.3.2 are brewing. >> >> I see, are they in git? If so, what commit? >> >> -Jason >> >
